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1 Introduction 


We consider the question of¢inadlityetor blockchain protocols omiaan. Many such 
protocols, such as the original blockchain, Bitcoin, have the property of eventual consensus - that an ever 
growing prefix of the chain will be agreed upon by all participants forever onward. But they generally 
only give probabilistic finality on a specific block - that under some assumptions about the network and 
participants, if we see a few blocks building on a given block, we can estimate the probability that it is final. 

But what we’d prefer is to have ity - for example 

This is useful to prove what happened to light 
clients, who do not have the full chain or are not actively listening to the network, and to communicate with 
other chains, possibly as part of a scalability solution, where not anyone receives or stores all the data in the 
system. 

Another popular family of consensus mechanisms for blockchains involves getting Byzantine agreement 
on each block [? ]. This gives provable finality immediately. However this is slow if we have a large set of 
participants in the Byzantine agreement. 

The approach that we will take is similar to the approach that Ethereum plans to take with Casper the 


Friendly Finality Gadget (Casper FFG) [2], which combines these a then l au protec 
that finalises blocks that the participants already agree on, to get provable finality. — 


We present a finality gadget that 


Recent research on consensus has come up with many different block production mechanisms that give 
eventual consensus. We want formal guarantees to hold for finality gadgets that can easily be applied to 
many possible block production mechanisms. Thus we want to make the least assumptions about the block 
production mechanism as possible. 

An important goal of this work is to formalise the finality gadget problem. We want formal guarantees 
for safety and liveness for finality gadget. 


1.1 Formalising the problem 


We want to formalise the notion of finality gadget, that can be used to modify a protocol that has eventual 
consensus with probabilistic finality to one with provavle finality. To achieve this, we need to incorporate 
into the definition of Byzantine agreement that we have access to a protocol that would achieve eventual 


consensus if we did not affect it. Consider a typical definition of a multi-values Byzantine agreement: We 


Definition 1.1. A protocol for multi-valued Byzantine agreement has a set of values S and a set of voters 
V, a constant fraction of which may be Byzantine, for which each voter v € V starts with an initial value 
Sy E S and, in the end, decides a final value fy E€ S such that the following holds: 


e Agreement: All honest voters decide the same value for fy 
e Termination: All honest voters eventually decide a value 


e Validity: If all honest voters have the same initial value, then they all decide that value 


We can change this definition to assume that instead of having an initial value, all voters have access to 
an external protocol, an oracle for values, that achieves eventual consensus in that it returns the same value 
to all voters when called after some time. 


Definition 1.2. We say an oracle A in a protocol is eventually consistent if it returns the same value to all 


Definition 1.3. 


e Validity: AW honest voters decide a value that A returned to some honest voter sometime. — 

For the binary case, i.e. when |S| = 2, the Byzantine finality gadget problem is reducible to Byzantine 
agreement. This does not hold for |S| > 2, because the definition of validity is stronger. Note that it is 
impossible for multi-valued Byzantine agreement to make the validity condition require that we decide an 
initial value of some honest voter and tolerate more than a 1/|S| fraction of faults, since we may have a 
1/|S| fraction of voters reporting each inital value and Byzantine voters can act honestly enough not to be 
detectable. For finality gadgets, this stronger validity condition is possible and we will want even stronger 
versions that quantify when an honest voter had the value. 

We show in/7-T:that an asynchronous, deterministic binary finality gadget is impossibl® even with one 
damit This does not immediately follow from the celebrated impossibility result of [3] because we do not 
know a reduction in the necessary direction, from agreement to the finality gadget problem. The extra 
information voters have here, that A will evntually agree for all voters, is not enough to make this possible. 


Now how do we extend this to agreeing on a chain of blocks? One difficulty in formalising the problem 
is that the . In order to 
So at a minimum, the block 


production mechanism needs to recognise which blocks the finality gadget has finalised. We will also allow 
the block production mechanism to interact with the state of the finality gadget in other ways. 

We want the finality gadget to work with the most general block production mechanisms as possible. 
Thus we need a condition that combines the property of eventual consensus and this requirement to build 
on the last 


finalised block, but is otherwise not too restrictive. Oe Seely iti 


Actors whee are aperin cutie in both protocols may hiie differently in P depending on a 


ver in the reverse direction, eheoniymaythamanhonesivotenuisiehkaviouginigi 


We say that 


Definition 1.4. 


As a motivating example, we could take F as being using proof of work to build on the longest chain 
including the last block G finalised and take A(v, sv, B) as being the longest chain including B that v sees in 
state s,. It is well-known [? ] that longest chain with proof of work achieves eventual consensus under the 
right sssimapuions and similar arguments show that į in this case we have conditional eventual consensus. (8) 


ie Ay will work in this system so that all honest voters finalise an increasingly long common chain. Thanks 
to the abstraction above, we can switch F for one of many possible alternative consensus algorithms and G 


will still work. 
of our finality gadget, we will need versions of the last two properties that 


appropriately depend on time: 


‘PHESaProperticsiwilltypically only hold withshishuprobability. In the asynchronous case, we would need 


to measure time in rounds of the protocol rather than seconds to make sense of these properties. We are 


also interested in being able COM@MOVEIANANp UNIS ZAMN vorr o Nd 
e Accountable Safety: If blocks on different chains are finalised. then we can identify at least f +1 


1.2 Our results 


1.3 Our approach 


To discover up with a solution to the blockchain Byzantine finality gadget problem, we will typically look 
at various Byzantine agreement protocols and use those to find protocols for the multi-valued Byzantine 
finality gadget problem. Agreement protocols with appropriate properties can used to find protocols for the 
blockchain Byzantine finality gadget problem by considering running them in parallel at every block number. 
If the one block protocol has the right properties then they will agree on blocks consistently, so if we finalise 
a block then we also finalise its ancestors and we can come up with a succinct protocol. 

For example, suppose we have a one block protocol that calls for a vote on blocks which requires a 
participant to observe a supermajority, say votes from 2/3 of voters, for some block, or else the participant 


observes that the vote is undecided. Now imagine running this vote in parallel for every block number and 
have any honest voter vote for blocks from a particular chain. Byzantine voters may vote more than once, 
but if we count a vote for a block as a vote for each ancestor of the block in the vote for the instance of the 
one block protocol with its number, then Byzantine voters must also vote for chains, though they can vote 
for multiple chains. If we do this, then we see that if a block has a supermajority in a vote, then so does all 
its ancestors in their votes. Thus the blocks with a supermajority form a chain. Furthermore, if only 1/3 of 
voters equivocate then if a participant sees a subset of the votes for chains, then they must see a prefix of 
the chain of blocks for which all the votes have supermajorities. Intuitively, the protocol can agree on the 
prefix that 2/3 of voters agree on using this. 

To ensure safety, each participant maintains an estimate E, of the last block that could have been finalised 
in around r. This has the property that in future rounds it overestimates the block that could have been 
finalised so that in round r, the chain with head Ep—ı contains all blocks that could have been finalised. 
Any honest voter only votes in round r for chains containing their estimate E,_, and this guarantees that 
any block that could have been finalised in round r — 1 will be finalised in round r. 


1.4 Related Work 
1.4.1 Comparison with Casper 


The concept of finality gadget was introduced in Casper the friendly finality gadget and this remains the 
finality gadget which is most similar to ours. So it makes sense to compare these. However first, we should 
mention the other protocols that are also called Casper. 

The first Casper was Casper TFG. Casper CBC[4] gives a recent and clearly specified version of this 
protocol. It’s fork choice rule uses the GHOST selection rule on votes. In Casper TFG, votes are blocks, 
but they are counted by participants (proposers and validators) like votes, which differs from how GHOST 
would be used with proof of work. It also has a flexible way of subjectively finalising blocks based on graphs 
of votes. 

In Casper FFG[2}, validators vote on links between checkpoints, which occur at block numbers that are 
multiples of, say, 50. If there are 2/3 votes for one block at consecutive checkpoints, then we can finalise a 
chain of blocks up to the first checkpoint. 

Epochless Casper, 

Casper... 


There are two main differences between Casper FFG and GRANDPA. One is tha Aai 
i This is achieved by borrowing the concept 


of GHOST on votes from Casper TFG and applying it in a more traditional Byzantine agreement protocol. 
The other main difference is how the finality gadget affects the 
production mechanism. I 
indiide~nysfinalised(bIOEKSM Casper FFG [2] does not specify a fork-choice rule, but it requires that we build 
on justified blocks for liveness. Later specifications of Casper use the GHOST rule on votes for fork-choice. 
pemen there have been many diverse protocols that do this developed in the last few years. It also 


makes it far easier to prove liveness properties. @fitlepinalitigadgemhas non nnalisedmnythingrandysomdoes™> 


atever we ha 

On the other hand, while building on the longest chain in the absence of a finality gadget to maximize 
block rewards may be rational if everyone else does, this is not always the case for building on the longest 
chain including the last finalised block. This is because it may be likely that a different chain is going to be 
finalised, in which case the rational thing to do might be to build on that. The GHOST on votes fork choice 
rule of ? and ? may be more rational. It is not clear that it is, nor is it clear how to prove liveness for such 
a rule. Further research may be needed to show that there is a fork choice rule which is rational and leads 
to liveness for the finality gadget. 


2 Preliminaries 


Network model: We will mostly be using a partially synchronous gossip network model, such as that 


described in [1] section II A. Pantiei 
We Smo 


that the n 
he partial 


and so any message sent or received by an honest participant reaches all honest participants. T 

synchrony we will use is the model where maessagestamremeceivedl rit isinstimieyisi>mtypOSsiblysonl after 3SOmieN 

Gio RMAOMLMAGST. Concretely, i ici 
hangerthersetrofspanticipantswiomctvely agree sometimes, To model this, we 


e will want to c 
have a large set of participants who follow messages. For each voting step, there is a set of n voters. We will 


fre 


voters to agree on finality. 


For block B, we write chain(B) for the chain whose head is = The block number, n(B) of a block B is 


the length of chain(B). 
For blocks B’ and B, we say B is later than B’ if it has a higher block number. We write B > B’ or 


that B is descendant of B’ for B, B’ appearing in the same blockchain with B’ later i.e. B’ € chain(B) with 
n(B) > n(B’) and B < B’ or B is an ancestor of B’ for B € chain(B’) with n(B’) > n(B). B > B' and 


B < B’ are similar except allowing B = B. We write B ~ B’ or B and B’ are on the same chain if B < B’, 
B=B' or B > B'; and B ~% B' or B and B’ are not on the same chain if there is no such chain. 


he set of voters who either have a vote es 
~ (The reason to count equivocations like this i y , that if S C T then 


if S has a supermajority for B so does T, while being able to ignore yet more equivocating votes from an 


equivocating validator 
r 
then this is a misnomer and we ma i i 
Note that, mpute g by starting at the gen 
e A a a we 


looking for a child of our current block with a 


Note that we can easily 
3 tells us that even i 


Next, we define a notion of possibility to have a supermajority which needs t have that if the set of all 
votes in a vote T is tolerant and some participant observes a subset S C T that has a supermajority for a 
block B then all partici[ants who see some other subset S” C T still see that it is possible for S to have a 
supermajority for B. We need a definition that extends to intolerant sets. 


We say that i S 


e 
Note that 


T tif 
OLED 


We say that 


. Again, provided S is tolerant, this holds if and only if for any possible child of B, there is 


no tolerant T C S that has a supermajority for that child. 
Note that it is possible for an intolerant S to both have a supermajority for S and for it to be impossible 


to have such a supermajority under these definitions, as we regard such sets as impossible anyway. 


D OE O 
(ii) If SCT and it is impossible for S to have a supermajority for B, then it is impossible for T to have 
a supermajority for B. 


(iii) If g(S) exists and B ~ g(S) then it is impossible for S to have a supermajority for B. 


3 The GRANDPA protocol 


In this section, we give the protocol for GRANDPA, our finality gadget in the partially synchronous setting. 
In addition to i , we assume that 
ici i We will typically 


P 
either choose the primary pseudorandomly from or rotate through the voter set. 


We let V;,v and Crugbe the sets of prevotes and precommitsmespectively received by v from round r at 


e 2 enne o be e rrr int 
in the chain with head g(V,..) Next we define a 


condition which will allow us to safely conclude that Erv > B for all B that might be finalised in round r: 


In other words, a round r is completable when our estimate chain E,., contains everything that could _ 


have been finalised in round®r, 
We have MEDo P that ? Inside 
a round, the properties both of E, „ having a supermajority, meaning Erv < g(V, as well as of it being 
imposible to have a supermajority for some given block are monotone, er 
will see this within time T. 


1. a 
where they are a voter. Let tr be the time v starts round r. 


Gu, OS 
Epi. 


(ii) round r is completable or 


(iii) it is impossible for V, „ to have a supermajority for any child of g(V;..). 
and then broadcasts a precommit for g(V;,») ( (ii) is optional. we can get away with just (i) and 


(ii)). 


3.1 Finalisation 


, at any point aftersieyprecOmmmiuistep of round r, wephayvestiate3e=w9(Ong)GsilaverD 
y que WeMinaliselBD We may also send a commit 


message for B that consists of B and a set of precommits for blocks > B (ideally for B itself if possible see 
” Alternatives to the last blockhash” below). 


If we receive a valid commit message for B for round r, then it contains enough precommits to finalise B 


4 Analysis 


4.1 Accountable Safety 
The first thing we want to show is asymehronousysafety, 


follows from the property that 


@) This ensures that 
With an induction, (HSGSWHaEIeHSiTeS that anD 


ins. To show accountable safety, we need to turn this proof around to show 
the contrapositive, when we finalise different blocks , then there are f + 1 Byzantine voters. If we make this 
proof constructive, then it gives us a challenge procedure, that can assign blame to such voters. 


Theorem 4.1. If the protocol finalises any two blocks B,B’ for which valid commit messages were sent, 


PROUT VOE urthermore, CERES ynehmonouspneet iitonfindasorcastclincieXefeheeeByeantine® 
The challenge procedure works as (OO Gl ALE See es eines poor sthonstheee 
Cee iaee i mmivorpbionges© we are done. Otherwise, we may assume by 


symmetry that B was committed in round r and B’ in round r’ > r. There are at least n — f voters who 
precommitted > B’ or equivocated in round r in their commit messages, so 


Starting with r” =', we ask queries of the following form: 


¢ W Ras AP, ¥ B when you prevoted for or precommitted to B” ž B in round r” >r? 
Annonser Should eepo, as is shown in Lemma ‘4.2: below. 
The response is of the following form: 
e A either a set S of prevotes for round r” — 1, or else a set S of precommits for round r” — 1, in either 
case such that it is impossible for S to have a supermajority for B. 
Any honest voter should respond. In particular, ifo Voter responds inen wo Coed allvOlersuliow 
Giouldaverespondedibutididn Hasibyeanune and we return this set of voters, along with any equivocators, 


which will be at least n — f voters total. 


O We note however that @ilanyivotersidolrespondithen we mild 


If we ask such queries for a vote in all rounds between r” = r’ and r” = r +1 and get valid responses, 
since some voter responds when r” = r + 1, then we have either a set S of prevotes or precommits in round 
r that show it is impossible for S to have a supermajority for B in round r. 

If S is a set of precommits, then if we take the union of S and the set of precommits in the commit 
message for B, then the resulting set of precommits for round r has a supermajority for B and it is impossible 
for it to have a supermajority for B. This is possible if the set is not tolerant and so there must be at least 
f +1 voters who equivocate an so are Byzantine. 


a query of the form 


e Which prevotes for round r have you seen? 


e, by a similar argument to the above GSU iwillshavew/tslequivecations. 
So voters either equivocate or fail 


Lemma 4.2. An honest voter can answer the first type of query. 


We first show that, if a prevote or precommit in round r is cast by an honest voter v for a block B”, then 
at the time of the vote we had B” > E,_1,y. 


@RMESMABLSBSPM by step 2 or 3. In either case we have B” > E,—1 „ G2PCCOMMItS SIde 


CUM MUMIA (VAM. by step 4, HTAPECOMMLLEAe, so again this holds. It follows 
that, if B’ ¥ B, then we had Ey1 2 B.> 


We next show that if we had £,_1,, Žž B at the time of the vote then we can respond to the query validly, 


by demonstrating the impossibility of a supermajority for B. ETE 


then by Lemma 2. 2: (iii), 


this case 


BESEER. However, possibly using that a impossi 


ESDA). By Lemma 2.2 (i), this means G quid OMENS MUPSMAjoxityom 


®) again as desired. 


Thus we have that, 
@upemnajorityierBP The current sets 5 


so by Lemma 2.2: (ii), it is still impossible. Thus v can respond validly. 


This is enough to show Theorem:4.1; Note that if v sees a commit message for a block B in round rand- 


ru a 


Qhoceduretthatystecess Mill identifies aMleastly SAN Byzantinewvoters)in some round. Thus we have that: 
Corollary 4.3. If there at most f Byzantine voters in any vote, B was finalised in round r, and an honest 


4.2 Liveness 


We show the protocol is deadlockgfré@and also that it 
@model) For this section, we will 
so that 


We define Vj.» be the set Vp, at time t and similarly for Cy: and the block Ev. - 


We first show that t 
Lemma 4.4. Then ÙD 
Vet C Vro and Crot © Crurvand v sees that r is completable at time t, then 


_ sees that r is completable at time t. 
Proof. Since v sees that r is completable at time t, either Epu < g(V-) requiring (n+ f +1)/2>2f+1 
votes, or else it is impossible for C;., to have a supermajority for any children of g(V,,,), requiring 2f + 1 
votes. In either case, both V, v, and C;,,,,, contain votes from 2f +1 voters and so the same holds for Vp wt 
and C;,» 47. By Lemma:2.1: (ii), g(Vrw e) > g(Vru2). As it is impossible for C,» to have a supermajority 
for any children of g(V,..,1), it follows from Lemma:2.2:(i & ii) that it is impossible for C;... 4” as well, and so 
both Erwe < g(Vrv,t) and v’ sees r is completable at time t’. But now E, w+ and E, wy are the last blocks 
on chain(g(V;,v,t)) for which it is possible for Cr» and C, wẹ respectively to have a supermajority, As it is 
possible for Crw’, to have a supermajority for EF,” 4, then it is possible for C} w, to have a supermajority 
for Ep wẹ as well, by Lemma:2.2: (ii) and tolerance assumptions, so Ep w'y < Erwt m 


4.2.1 Deadlock Freeness 


Now we can show deadlock freeness for the asynchronous gossip network model, when a message that is sent 
or received by any honest participant is eventually received by all honest participants. 


Proposition 4.5. Suppose that we are in the asynchronous gossip network model and that at most f voters 


Proof. We need to show that if all honest participants reach some vote, then all of them eventually reach 


If all honest voters reach a vote, then they will vote and all honest participants see their votes. We need 
to deal with the two conditions that might block the algorithm even then. To reach the prevote of round r, a 
participant may be held up at the condition that round r—1 must be completable. To reach the precommit, 
a voter may be held up by the condition that g(V;.) > Er—iy- 

For the first case, the prevote, let S be the set of all prevotes from round r — 1 that any honest voter saw 
before they precommitted in round r—1. By Lemma 2.1, when voter v’ precommitted, they do it for block 
g(V-—1.w') < g(S). Let T be the set of precommits in round r cast by honest voters. Then for any block 
B £4q(S), T does not contain any votes that are > B and so it is impossible for T to have a supermajority 
for B. In particular, it is impossible for T to have a supermajority for any child of g(S). 


Now consider a voter v. By our network assumption, there is a time t by which they have seen the votes 
in S and T. Consider any t' > t. At this point we have g(V,»,4,) > g(S). It is impossible for C, u, to have 
a supermajority for any child of g(S) and so Er—1,w, < g(S), whether or not this inequality is strict, we 
satisfy one of the two conditions for v to see that round r — 1 is completable at time t’. Thus if all honest 
voters reach the precommit vote of round r — 1, all honest voters reach the prevote of round r. 

Now we consider the second case, reaching the precommit. Note that any honest prevoter in round r 
votes for a block By > Er—1,w,t, where ty is the time they vote. Now consider any honest voter for the 
precommit v’. By some time t’, they have received all the messages received by each honest voter v at time 
ty and v’’s prevote. Then by Corollary ‘4.3: By > Eri 3t, > Er—1' w. Since Vru y contains these By, 
9(V,.0/0’) > Ep—1,»',7- Thus if all honest voters prevote in round r, eventually all honest voters precommit 
in round r. 

An easy induction completes the proof of the proposition. J 


4.2.2 Weakly synchronous liveness 


Now we consider the E a The idea that @ietetissomeplonalstaDili® 


Let @ be i.e. the minimum over honest participants 


pn O O 


(i) tr < tru < tr +T for any honest participant v, 

(ii) no honest voter prevotes before time tr + 2T. 
(iii) any honest voter v precommits at the latest at time try +4T. 
(iv) for any honest v, triw < tr + 6T. 


Proof. Let v’ be one of the first honest participants to enter round r i.e. with tru’ = tr. By our network 
assumption, all messages received by v’ before they ended are received by all honest participants before 
time t, + T. In particular at time t,, v’ sees that all previous rounds are completable and so by Corollary 
‘4.3, so does every other honest participant by time tp + T. Also since for r’ < r, at some time sp < tr 
GVr vs.) = Epes, again by Lemma 4, for all honest v, g(Vrvt.47) > Erwt +r. Looking at the 
conditions for voting, this means that any honest voter does not need to wait before voting in any round 
r’ <r. Thus they cast any remaining votes and enter round r by time t, + T. This shows (i). 

For (ii), note that the only reason why an honest voter would not wait until time t,., + 2T > t, + 2T is 
when n — f voters have already prevoted. But since some of those n — f votes are honest, this is impossible 
before t, + 2T 

Now an honest voter v” prevotes at time tr” + 2T < t, + 3T and by our network assumptions all 
honest participants receive this vote by time t, +47. An honest voter for the precommit v has also received 
all messages that v” received before they prevoted by then. Thus the block they prevoted has By, > 
Ey-1." > Ev—1.vt,+47, Since this holds for every honest voter v”, g(Vru,t,447) > Er—1,v,t,447- Thus they 
will precommit by time tr „ + 4T which shows (iii). 

By the network assumption an honest voter v’’s precommit will be received by all honest participants 
v by time tru + 57’ < tr + 67. Since v will also have received all prevotes v say when they precommitted 
by this time, their vote By will have By = g(Vru) < g(Vrvt,467). Thus Cr v,t +6r contains precommits 
from n— f voters v’ with By < g(V,v,t,467) and thus it is impossible for C,.,4,467 to have a supermajority 
for any children of g(V,.v,z,+6r). Thus v sees that round r is completable at time tr + 6T. Since they have 
already prevoted and precommitted if they were a voter, they will move to round r + 1 by at latest t; + 67. 
This is (iv). m 


10 


Lemma 4.7. Suppose tr > GST and very vote has at most f Byzantine voters. Let H, be the set of prevotes 


(a) any honest voter precommits to a block > (Hy). 
(b) every honest participant finalises g(H,) by time t, + 6T. 


Proof. For (a), we separate into cases based on which of the conditions (i)-(iii) that we wait for to precommit 
hold. 

For (i), all honest voters prevote in round r by time tr + 3T. So any honest voter v who precommits at 
or after time try +4T > t, +4T has received all votes in H, and by Lemma‘2.1; precommits to a block 
> g(H,). TS 

For (ii), we argue that no honest voter commits a block Žž g(H,) first. The result will then follow by an 
easy induction once the other cases are dealt with. Suppose that no honest voter has precommitted a block 
? g(H,-) so far and that a voter v votes early because of (ii). 

Note that, since we assume that all precommits by honest voters so far were > g(H,.), it is possible for 
Crw to have a supermajority for g(H,). For (ii) to hold for a voter v i.e for round r to be completable, it 
must be the case that either it is impossible for Cr, to have a supermajority for g(V;.,) or else be impossible 
for Crw to have a supermajority for any children of g(V;.,). By Lemma 2.2: cannot have g(V;») < g(Hr). 
But by Lemma:2.1; these are on the same chain and so g(V,,) > g(H,). Since this is the block v precommits 
to, we are done in case (ii) 

For (iii), let v be the voter in question. Note that since n— f honest voters prevoted > g(H,.), it is possible 
for V,» to have a supermajority for g(H,). By Lemma:2.1; g(V;,») is on the same chain as g(H,-). For (iii), 
it is impossible for V;,, to have a supermajority for any children of g(V;.,). If we had g(V;v) < g(H,), by 
Lemma:2.2; this would mean that it would be impossible for V,,, to have a supermajority for g(H,-) as well. 
So it must be that g(V,) > g(H,) as required. 

For (b), combining (a) and Lemma.:4.6: (iii), we have that any honest voter v precommits > g(H,) by 
time trv +47. By our network assumption, all honest participants receive these precommits by time t, +6T 
and so finalise g(H,) if they have not done so already. J 


Lemma 4.8. Suppose that t, > GST, the primary v of round r is honest and no vote has more than f 
Byzantine voters. Let B = Er—1w,t,„ be the block v broadcasts if it is not final. Then every honest prevoter 
prevotes for the best chain including 'B and all honest voter finalise B by time t, + 6T. 


Proof. By Lemma:4.6:and our network assumptions, no honest voter prevotes before time t; +2T > tru +2T 
and so at this time, they will have seen all prevotes and precommits seen by v at t,., and the block B if v 
broadcast it then. By Lemma 4.4; any honest voter v’ has Ep—1,w < B < g(Vr—1,v then. 

So if the primary broadcast B, then v’ prevotes for the best chain including B. If the primary did not 
broadcast B, then they finalise it. By Corollary:4.3, it must be that E,—1,v > B and so E,—1,., = B and so 
in this case v’ also prevotes for the best chain including B. 

Since all honest voters prevote > B, g(H,) > B and so by Lemma AT, all honest participants finalise B 
by time t, + 6T C m) 


Lemma 4.9. Supposelhatt), > GST P T andiheprimaryrofroundnzisthonest. Let Bybertheslatestybloek 
that is ever finalised in rounds < r (even if no honest participant finalises it until after tn). If all honest 
Proof. By Corollary : 4. 3; any honest participant sees that E, -1 2 B during round r. Let v be the primary 
of round r and B” = BE 1v,t,,- Hf B” > B, then by Lemma: Å. 8: all honest participants finalise B” by time 
t, + 6T which means they finalised a child of B. If B” = B, then by Lemma Å. 7; all honest voters prevote 
for the best chain including B. By assumption these chains include B’ and so g(H,) > B. By Lemma:‘4.7: 
this means that B’ is finalised by time t, + 6T. "B 


4.2.3 Recent Validity 


Lemma 4.10. 


Suppose that t- > GST. the primary of round r is honest and all votes have at most f- 
Let B be a block that less than f +1 honest prevoters in round r saw as being in the best 
Then either all honest participants finalise B before 


Proof. Let v’ be the primary of round r and let B’ = E,_-1, tare É B' > B, then by Lemma ‘4 8: all honest 
participants finalise B by time t, + 67. If B’ Žž B, then by Tenma. “4. 8; at most f honest voters prevotes 
> B. In this case, less than 2f +1 < (n+ f+ 1) /2 prevoters vote > B or equivocate and so no honest 
participant ever has g(V;,») > B. J 


Corollary 4.11. Fort—6T >t > GST, suppose that an honest participant finalises B at time t but that 
no honest voter has seen B as in the best chain containing some ancestor of B in between times t' and t, 


5 Practicalities 


5.1 Changing the voter set on-chain in an asynchronously safe way 
5.1.1 Changing the voter set in an asynchronously safe way 


Suppose we have an on-chain protocol that decides we need a different voter set. Once everyone finalises the 
block, they know that we need to change the set. The protocol can cope with changing the voter set from 


some round r. The is that therehain has no idea Na Gurtent round number is) an deven 


. So instead we will not take advantage of the ability to change set from one round to the next. 


Thus if the current voter set has n — f honest 
voters, they will only finalise m blocks after such a B. We only accept votes and commit messages up top 


m blocks after B from the curr f voters. 
— round 1 with Ey = B’. 


5.1.2 Unsafe fallback for changing the voter set after stalling 


In extreme circumstances, 
t also breaks the chain of signed statements by the existing set of voters saying 


who the future set of voters should be. And it means we may be 
a However 
premono Welshouldlputlalvalidlcommitimessaselomchaim Honest block producers should 


put the most recent message on the chain, provided that there is one for a more recent block than 100 blocks 


ago. Then i 


The protocol for selecting voters should 
We should 


If we do not want to put commit messages on chain, then we aan do the following @BVery> 


(iii) m is the minimum that satisifies (i) and (ii) 
then tigySwitchitolthelbestvalidatorseneivenlbyblockin. If the same block at height n is on everyone’s best 


chain, which can be shown to occur with hi given (i) for many block production mechanisms, 
then é k. If any 


100 consectutive blocks of the best men are produced iy: Te and amon blodk producers then gap 


5.2 Alternatives to the last block hash 


The danger with 
ji It would also be nice to make the most of BLS multisig/aggregation, which 
allows a single signature for many messages/signers than can be checked in time proportional to the number 
of different messages signed. 
To get round the first alone, it might be better to vote for a block 3/4 along (rounding further) the 
unfinalised chain , rather than for th head. 

But the second suggests that maybe we should be including signatures for several of the latest blocks in 

a chain. We could include that last 2 or 3. We could also do e.g. the the blocks with block numbers with the 


last 2 multiples of each power of two since th last finalised block, which gives log unfinalised chain length 
re Are ET EET TESTES ESD but should have many blocks in common. 


noc iin nen ne ae 


-—_ need to count such votes as votes for the had of every chain in the vote (as someone might 
interpret them as for any one of them). 
Then al een ts te > B Dr a nm se or YS E 


5.3 Block production rule 


If we adopt that rule that block producers should build on the best chain including the last finalised block, 
then if we don’t finalise another block this will eventually include some prefix beyond the last finalised block, 


and therefore the protocol is live by Lemma :4.10; 


But the issue is that if agreement is much slower than block production, then we might have a prevote 
CEE MAAN AAEMTAISE This could be dixedybysbuildingronmypaiworeap. But if we do 
that, and these change very quickly, then we may never come to agreement on the best chain. 
So we have two possible chain selectid& rules for block producers: 


1. 


Build on the best chain including the last finalise block B. 
2. Build on best chain including whichever of {E,. E,—1, B} is latest and > B. 


1 is better if finalisation is happening quickly i j i 
E We could also consid like adopt 1 unless we see that the protocol 
1 


s stuck or slow, then we switch to 2. 


6 Why? 


6.1 Why do we wait at the end of a round and sometimes before precommitting? 


If the network is badly behaved, then these steps may involve waiting an arbitrarily long time. When the 
network is well behaved (after the GST in our model), we should not be waiting. Indeed there is little point 
not waiting to receive 2/3 of voters’ votes as we cannot finalise anything without them. But if the gossip _ 


network is not perfect, an some messages never arrive, then we may need to implement voters asking other 


In exchange for this, 


6.2 Why have a primary? 


We only need the primary for liveness. We need some form o 
itti The idea behind that attack is tha 
. If they can carefully time this, . Without the primary, 


i . If B is not the best block given the 
last finalised block but B’ with the same block number, they could stop either from being finalised like this 
even if the (unknown) fraction of Byzantine players is small. 


M We could also use a common coin for the same thing, ars people would prevote for either 


the best chain containing E,_1,, or g(V,—1,,) depending on the common coin. With on-chain voting, it is 
possible that we could use probabilistic finality of the block production mechanism - that if we don’t finalise 
a block and always build on the best chain containing the last finalised block then not only will the best 
chain eventually converge, but if a block is behind the head of the best chain, then with positive probability, 
it will eventually be in the best chain everyone sees. 

In our setup, having a primary is the simplest option for this. 


7 The asynchronous finality gadget problem 

Here we give an extension of the [3] result that shows the impossibility of having an asynchronous and 
deterministic finality gadget protocol and give an asynchronous protocol that uses a common coin primitive. 
7.1 Impossibility of a deterministic protocol 


The asynchronous binary fault tolerant agreement problem is as follows: 


UES OUTPUT 
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cither A always outputs z in {0, 1} 


and we want that i 


Then This is ma impossible, even for one faulty node, which just goes offline. Note that this generalises 


Byzantine agreement, since if we could each node i could call A once at the start and use the output as v;i. 
(For the multi-valued case, we will define the problem so that this reduction does not hold.) 


Proof sketch. We follow the notation of [3] and assume for a contradiction that we use a correct protocol. 
Let r be a run of the protocol where A gives 0 all the time. Then by correctness r decides 0. Now we consider 
what can happen when A switches to 1 after each configuration in r. If it switches to 1 at the start, then 
the protocol decides 1. If we switch to 1 when all node have already decided 0, then we decide 0. 

We claim that some configuration in the run r, where there are two runs from it where A is always 1 
that decide 0 and 1. We call such states 1-bivalent. To see this, assume for a contradiction that r contains 
no such configurations. Then there is are successive configurations C,C’ such that if A return 1 in the 
future from C then we always decide 0 but from C”, we always decide 1. Let events be (p, m, x) where node 
(processor/validator) p receives message m (which my be null) and executes some code where any calls to 
A return z in {0,1}, then sends some messages. Then there is some event (p,m,0) that when applied to C 
gives C’. Now suppose that p goes offline at C, then if A always returns 1 afterwards, then we still decide 1. 
Thus there is a run r’ that starts at C where p tales no steps, A always returns 1 and all other nodes still 
output 1. But since p takes no steps in r’, we can apply r’ after (p,m,0) and so we have that C” has a run 
where A always returns 1 but decides 1, which is a contradiction. 

Now let C be a 1-bivalent configuration. We can follow the FLP proof to show that there is a run from 
C for which A always returns 1, all messages are delivered but all configurations are 1-bivalent and so the 
protocol never decides. This completes the proof by contradiction that there is no correct protocol. J 


7.2 1/5 BFT finality gadget using a common coin 


In this section, we will@sstmeyhemsyichronousigossipmetworkanodel. By the previous impossibility result, 
we will need to use randomness to get a finality gadget in this model. We assume that we have access to a ` 


The ¢GiMOMeSillis a (secure cryptographic implementation of) the following protocol. 1t@SeSWetietum 


for the prevote vote in the next round in case of ambiguity) GAl/G® It 
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from {0,1}, identical for all who called it, and before 4f + 1 called it, no-one has any information about the — 


Here g:(S) is the t-GHOST function defined as follows. We construct a chain starting with the genesis 
block and adding the child of the current block such that most voters have votes > it until there are nt or 
less votes for any child of the current block, when we return the current block. 

The idea behind the proof of asynchronous liveness is that for a particular block B’, some value of the 


(and indeed 


there would be runs that do this indefinitely as se is = i” impossibility result works for type of 


algorithm.) 
Firstly we note that much of the machinery of section :2: carries over to the 1/5 byzantine case. 


Lemma 7.1. Let T be a set of votes such that at most f voters have multiple votes in T. Lett > (n+ f)/2n 
Thong 

1. DREO ARNEOn Ue) defines p). 

2. If SCT has g(S) # nil, then g(8) < g(T) for t > (n + f)/2n. 

3. If Si CT for1<i< n then all non-nil g,(S;) are on a single chain with head g(T). 

4. Ifr < s, then g-(T) > q(T). 


So 


First we need to show that the protocol is deadlock free. @Smong asmane s Spre aT 


p i ici s. We just need to show 
that honest prevotes are eventually seen as justified. 


Lemma 7.2. } | } y 
Proof. v precommits B = g3/5(V;.,,). Since Vro 2 Vlo, B < g3/5(Vro") by Lemma:7.1:2. So we just need to 
show that if B < g3/s(Vrv’), Vr,’ contains votes from f + 1 voters that are not >`B" where B’ is the child 
of B in the chain of 93/5(V;..”). Since B = g3/5(V;.,,), from the definition of g, B’, like any child of B, does 


not have votes from 3f +1 voters > B'in Vis: Since V; „ contains votes from 4f + 1 voters, there are votes 
from at least f + 1 voters that are ž B’ in Vi, and so also in Vp w. J 


Our network assumption and a simple induction shows that we do not deadlock. 


Corollary 7.3. All honest voters eventually prevote and precommit in evrey round and all honest participants 


Lemma 7.4. 


Proof. For B to be finalised in round r, there need to be votes from more than n — f voters that are > B 
and s, = 1. Any honest participant v also sees that s, = 1 and so they lock g1/5(Cr,v). Cy,» contains votes 
from at least 4f +1 voters. At most f voters can have votes ? B in C,.,, if they also voted > B and at most 
f voters do not have votes in Crw. Thus at least 2f + 1 voters have votes > B in C, w. Because g1/5 is not 
unique in general, to show that g1/5(Cr,v) > B, we also need to show that no block B’ ~ B has f +1 voters 
have votes > B’ in C,.,. If this holds then the procedure to calculate gı/5 will not follow chain that does 
not include B and so it will return a block > B. Letting V, be the set of prevotes ever cast, note that any 
honest voter v’ prevotes for a block g3/5(Vr w) < g3/5Vr and so as before honest voters precommit to blocks 


16 


in one chain. Since many honest voters precommit > B, all precommit ~ B, and so if f + 1 voters have 
votes > B’ in B then since at least one of those are honest B’ ~ B. Thus we have g1/5(C;,.) > B. 

Since all honest voters prevote > B in round r+ 1, any participant who waits for votes from 4f + 1 
voters will see g3/5(V-41) = B and so all honest voters precommit > B in round r+ 1. Since only at most f 
voters vote Žž B, only precommits > B are ever seen as justified by honest participants. Therefore all honest 
participants will see g345(C;41) > B. If s, = 1, this is enough to finalise B.Since gj /5(Cr41) = ga/s(Cr41) = 
B, whatever the common coin, all honest particupants lock > B. By induction, this holds for all future 
rounds. 


J 
We want to show that this is @S¥HGhEOnouslyslives® 


Proposition 7.5. 


Proof. By the Lemma :7.4, all honest voters prevote in round r for B or its descendants and so all honest 
voters precommit to B or its descendants. 

Let V, be the set of prevotes of all voters. Using Lemma:7.1; all honest voters precommit g3/5(V,) or its 
ancestors. Since some must precommit > B for it to be finalised, g3/5(V,) > B. 

For the case g3/5(V;) = B, all honest voters precommit B and so any honest participant sees that 
B = gijs(Cr) = gajs(Cr). Thus all honest participants lock B and so are free to prevote for B” or its 
descendants in round r + 1. Thus we finalise B” in round r + 1 or the next round when s, = 1 after that. 

Otherwise, let B’ be the child of B in the chain of g3/5(V;). We seek to show that we finalise either B’ 
or B”. 

Let S be the set of honest voters who precommit in round r before 4f + 1 voters call the common coin. 
Let S” be the set of honest voters who call the common coin before it is decided. Since 4f + 1 voters call 
the coin before it decided and honest voters who do so saw precommits from 4f + 1 voters, S’ and S each 
contain at least 3f + 1 voters. 

Let h be the number of voters in S that precommit B’ or its descendants. Note that the other |S|— h 
voters just precommit B. 

Now consider a particular voter v and the set C, of precommits they received in step 4. the number 
of voters with precommits in C,» is at least 4f +1. If v € S, All the honest voters with precommits in 
Crw are in S. In this case we have that the number of votes for B’ or its descendants in Crw, My has 
h—-f<m, <h+f. Forv ¢ S’, since f honest validators can be outside S, we have h—2f < my <h+2f 

Since any descendant of B that is not B’ or its descendants receives less than f precommits for it or 
its descendants, we have that either g1/5(C;,,) = B or gi/5(Cr,) = B’ and similarly for g4/5(Cr,v). Now 
note that if h > 3f +1, my > f +1 and so g1/5(C;,,.) => B’. On the other hand if h < 3f +1, for v € S’, 
My < 4f +1 and so g4/5(Cr w) = B. 

Ifh > 3f+1 and s, = 1, then every honest voter locks a block > B’. Thus is round r+1, they all prevote 
> B’. By similar reasoning to Lemma 7.4, we finalise B’, the next round r’ > r that we have s, = 1. 

Ifh <3f+1 and s, = 0, then every v € S’ locks only B. But then all such v will prevote their best chain 
containing B and so a block > B”. There are only at most 2f voters who might not do this, the Byantine 
voters and the honest voters outside of |S| who prevote > B. Thus any honest voter who has seen prevotes 
from n — f voters either sees 93/5(Vr+1,v) = B or 93/5(Vr+1,v) => B’. Since all honest precommits are either 
B or > B", evry honest voter locks either B or > B”. Since in round r + 2, all honest voters see that the 
best chain including B also includes B”, this time they all prevote > B”. By similar reasoning to Lemma 
7.4, we finalise B”, by the next round r’ > r +1 that we have sw = 1. 

Crucially note that h depends only on S, which is determined when 4f + 1 voters call the common coin 
and before it is flipped. Thus s, is independent of h. If h < 3f +1 then s, = 0 with probability 1/2 and if 
h > 3f +1 then s, = 1 with probability 1/2. So with probability 1/2, we have either both h < 3f + 1 and 
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Sr = 0 or both h > 3f +1 and s, = 1. Thus with probability at least 1/2, we finalise B’ or B” before the 


next round after r +1 when s, = 1. J 
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